Snort mailing list archives

RE: VLAN tagging question

From: Mike Shaw <mshaw () wwisp com>
Date: Mon, 03 Dec 2001 11:15:48 -0600

In a Cisco switch, you can monitor multiple VLANs from one monitor port. I*think* you just put multiple VLAN #s seperated by commas.


-Mike

At 09:24 AM 12/3/2001 -0500, Wild, Andrew wrote:

        OK, I understand this, but I want to monitor multiple VLANs at the
same time without having to span ports and use multiple ethernet interfaces
on my IDS host.




> I would not try to monitor the VLAN trunk directly. Instead span the trunk
> port from your switch to another port on the same switch that your snort
> box will monitor. With Cisco the default management vlan "1" is probably
> the one you wish to monitor. You can grab all the traffic with a port span
> without having to be concerned about 802.1q vlan tags.
>
> Cliff
>
>
> In a message dated 12/3/2001 8:28:38 AM Eastern Standard Time,
> AWild () tnsi com writes:
>
>
>
>
>       Don't know if this is possible, since I'm not sure where the VLAN
> tags are
>       removed from an Ethernet frame.
>
>       Can I use a tap to monitor an Ethernet trunk (full duplex connection
> with
>       every frame containing 802.1q vlan tags) and have SNORT understand
> the
>       frames?  How do you configure the interface to recognize and strip
> off the
>       vlan tags?  I expect to have the interface configured without an IP
> address
>       running in promiscuous mode capturing all frames.  Is this OS
> dependent, or
>       does the app need to be aware of the vlan tags?
>
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users () lists sourceforge net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: VLAN tagging question, (continued)
- Re: VLAN tagging question Ryan Russell (Dec 03)
  - Re: VLAN tagging question Fyodor (Dec 03)
    - Re: VLAN tagging question Ryan Russell (Dec 03)
    - Re: VLAN tagging question Fyodor (Dec 03)
    - Re: VLAN tagging question Martin Roesch (Dec 03)
    - Re: VLAN tagging question Ryan Russell (Dec 03)
    - Re: VLAN tagging question Martin Roesch (Dec 03)
- RE: VLAN tagging question Wild, Andrew (Dec 03)
- Re: VLAN tagging question SkatFiend (Dec 03)
- RE: VLAN tagging question Graeme Fowler (Dec 03)
- RE: VLAN tagging question Mike Shaw (Dec 03)
- RE: VLAN tagging question Ju Kong Fui (Dec 03)